bb1d22ec30db84bead81e0830233b7f0855941948e2bf153729eccc43fe0059e

Analysis

max time kernel
138s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
25/04/2024, 02:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb1d22ec30db84bead81e0830233b7f0855941948e2bf153729eccc43fe0059e.exe
Size

120KB
MD5

f44c6b36137021e500e6e4b7e6962ab7
SHA1

108d010140eb843dbe5dad3f9071c5b8eda51543
SHA256

bb1d22ec30db84bead81e0830233b7f0855941948e2bf153729eccc43fe0059e
SHA512

051f28ea003a751d92d479ea978166e1b1b3f390f01308fe74fc410a39704170ceb475842fa4aae628115f1c73d7e53c5230e46b91d68c748dfd2ac3131a759d
SSDEEP

3072:fhQ58Lm4bCeS203H/6TC+qF1SsB1bw4AVRrd9:fw8zVS9C81NBy9

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gfnnlffc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gjocgdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Capchmmb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eoapbo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hadkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcqjfh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjmhppqd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfdida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecbenm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hmfbjnbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfdbojmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebploj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Efneehef.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ipldfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Giofnacd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmmhjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqalmafo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dohmlp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Efpajh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjcclf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjocgdkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hapaemll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imbaemhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dofpgqji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dagiil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gqfooodg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hpgkkioa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gqkhjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gppekj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibnhjgj.exe

Executes dropped EXE 64 IoCs

pid	Process
2116	Ccmclp32.exe
5060	Capchmmb.exe
3256	Digkijmd.exe
4776	Dlegeemh.exe
3536	Doccaall.exe
3224	Denlnk32.exe
4808	Dhlhjf32.exe
1040	Dofpgqji.exe
4976	Dephckaf.exe
2008	Djlddi32.exe
2896	Dljqpd32.exe
4824	Dohmlp32.exe
3500	Dagiil32.exe
2692	Dhqaefng.exe
2540	Dokjbp32.exe
1996	Dfdbojmq.exe
3140	Dlojkddn.exe
4480	Domfgpca.exe
1084	Dakbckbe.exe
2992	Efgodj32.exe
3664	Ehekqe32.exe
3952	Eoocmoao.exe
1872	Ebnoikqb.exe
5056	Ehhgfdho.exe
1336	Eoapbo32.exe
1656	Ebploj32.exe
2864	Ehjdldfl.exe
3260	Eqalmafo.exe
3760	Ecphimfb.exe
3412	Efneehef.exe
4196	Ehlaaddj.exe
3604	Eofinnkf.exe
3300	Ecbenm32.exe
1708	Efpajh32.exe
4932	Ehonfc32.exe
2664	Eoifcnid.exe
1820	Ffbnph32.exe
1168	Fokbim32.exe
1484	Ffekegon.exe
1468	Ficgacna.exe
4508	Fcikolnh.exe
3544	Ffggkgmk.exe
3956	Fjcclf32.exe
2232	Fmapha32.exe
1400	Fckhdk32.exe
5020	Ffjdqg32.exe
3064	Fjepaecb.exe
4328	Fqohnp32.exe
4964	Fbqefhpm.exe
1912	Fjhmgeao.exe
1208	Fqaeco32.exe
4988	Gcpapkgp.exe
3720	Gfnnlffc.exe
2056	Gimjhafg.exe
1004	Gmhfhp32.exe
3392	Gcbnejem.exe
4044	Gfqjafdq.exe
3100	Giofnacd.exe
3188	Gqfooodg.exe
1904	Gcekkjcj.exe
912	Gjocgdkg.exe
2712	Gmmocpjk.exe
3848	Gpklpkio.exe
3236	Gfedle32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Gfedle32.exe	Gpklpkio.exe
File created	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Gagaaq32.dll	Ebnoikqb.exe
File created	C:\Windows\SysWOW64\Fjepaecb.exe	Ffjdqg32.exe
File created	C:\Windows\SysWOW64\Lmmcfa32.dll	Kpccnefa.exe
File created	C:\Windows\SysWOW64\Kkkdan32.exe	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Lkgdml32.exe	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Dephckaf.exe	Dofpgqji.exe
File created	C:\Windows\SysWOW64\Fllceb32.dll	Djlddi32.exe
File created	C:\Windows\SysWOW64\Dakbckbe.exe	Domfgpca.exe
File created	C:\Windows\SysWOW64\Efgodj32.exe	Dakbckbe.exe
File created	C:\Windows\SysWOW64\Gcpapkgp.exe	Fqaeco32.exe
File created	C:\Windows\SysWOW64\Fldggfbc.dll	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Hjhfnccl.exe	Hcnnaikp.exe
File opened for modification	C:\Windows\SysWOW64\Kkkdan32.exe	Kbdmpqcb.exe
File opened for modification	C:\Windows\SysWOW64\Hpgkkioa.exe	Hadkpm32.exe
File created	C:\Windows\SysWOW64\Jiikak32.exe	Jbocea32.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Ceaklo32.dll	Hbeghene.exe
File opened for modification	C:\Windows\SysWOW64\Jpojcf32.exe	Jmpngk32.exe
File opened for modification	C:\Windows\SysWOW64\Kcifkp32.exe	Kagichjo.exe
File created	C:\Windows\SysWOW64\Lnjjdgee.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Gfqjafdq.exe	Gcbnejem.exe
File created	C:\Windows\SysWOW64\Haggelfd.exe	Hbeghene.exe
File created	C:\Windows\SysWOW64\Ihaoimoh.dll	Kbfiep32.exe
File opened for modification	C:\Windows\SysWOW64\Ldmlpbbj.exe	Laopdgcg.exe
File opened for modification	C:\Windows\SysWOW64\Efneehef.exe	Ecphimfb.exe
File created	C:\Windows\SysWOW64\Ppgjkamf.dll	Ehonfc32.exe
File created	C:\Windows\SysWOW64\Fbqefhpm.exe	Fqohnp32.exe
File opened for modification	C:\Windows\SysWOW64\Kpccnefa.exe	Jiikak32.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Dohmlp32.exe	Dljqpd32.exe
File created	C:\Windows\SysWOW64\Ohcepmcb.dll	Ecbenm32.exe
File opened for modification	C:\Windows\SysWOW64\Iikopmkd.exe	Ijhodq32.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mamleegg.exe
File opened for modification	C:\Windows\SysWOW64\Gcbnejem.exe	Gmhfhp32.exe
File created	C:\Windows\SysWOW64\Jagqlj32.exe	Jmkdlkph.exe
File opened for modification	C:\Windows\SysWOW64\Jigollag.exe	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Lkakml32.dll	Eoapbo32.exe
File opened for modification	C:\Windows\SysWOW64\Hadkpm32.exe	Hjjbcbqj.exe
File opened for modification	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Hefffnbk.dll	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Jdcpcf32.exe	Iinlemia.exe
File opened for modification	C:\Windows\SysWOW64\Jjbako32.exe	Jplmmfmi.exe
File created	C:\Windows\SysWOW64\Liggbi32.exe	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Klfbpcko.dll	Ecphimfb.exe
File opened for modification	C:\Windows\SysWOW64\Impepm32.exe	Iidipnal.exe
File created	C:\Windows\SysWOW64\Ifhiib32.exe	Icjmmg32.exe
File opened for modification	C:\Windows\SysWOW64\Lpcmec32.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Jqqjmnii.dll	Ebploj32.exe
File opened for modification	C:\Windows\SysWOW64\Ecbenm32.exe	Eofinnkf.exe
File created	C:\Windows\SysWOW64\Ppaaagol.dll	Kphmie32.exe
File created	C:\Windows\SysWOW64\Kgdbkohf.exe	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Kbbfkb32.dll	Ehekqe32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7408	7272	WerFault.exe	293

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baefid32.dll"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdikig.dll"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gqkhjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcbnd32.dll"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpmkpqcp.dll"	Dokjbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ffggkgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dfdbojmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gagaaq32.dll"	Ebnoikqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Efneehef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfiapa32.dll"	Ffggkgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dokjbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ehekqe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Eoocmoao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bejkjg32.dll"	Hjhfnccl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogjfmfe.dll"	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Efgodj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jjbako32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fqohnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Digkijmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Haggelfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ccmclp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbcjkf32.dll"	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ecphimfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dokjbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hfcpncdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihaoimoh.dll"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dohmlp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ehlaaddj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gfedle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hcqjfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdhoohmo.dll"	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbbfkb32.dll"	Ehekqe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anjekdho.dll"	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hefffnbk.dll"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	bb1d22ec30db84bead81e0830233b7f0855941948e2bf153729eccc43fe0059e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fcikolnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fihpfl32.dll"	Eqalmafo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oijnep32.dll"	Eoifcnid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hcnnaikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghpbg32.dll"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhlhjf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gpnhekgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hbeghene.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lnjjdgee.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3532 wrote to memory of 2116	3532	bb1d22ec30db84bead81e0830233b7f0855941948e2bf153729eccc43fe0059e.exe	86
PID 3532 wrote to memory of 2116	3532	bb1d22ec30db84bead81e0830233b7f0855941948e2bf153729eccc43fe0059e.exe	86
PID 3532 wrote to memory of 2116	3532	bb1d22ec30db84bead81e0830233b7f0855941948e2bf153729eccc43fe0059e.exe	86
PID 2116 wrote to memory of 5060	2116	Ccmclp32.exe	87
PID 2116 wrote to memory of 5060	2116	Ccmclp32.exe	87
PID 2116 wrote to memory of 5060	2116	Ccmclp32.exe	87
PID 5060 wrote to memory of 3256	5060	Capchmmb.exe	88
PID 5060 wrote to memory of 3256	5060	Capchmmb.exe	88
PID 5060 wrote to memory of 3256	5060	Capchmmb.exe	88
PID 3256 wrote to memory of 4776	3256	Digkijmd.exe	89
PID 3256 wrote to memory of 4776	3256	Digkijmd.exe	89
PID 3256 wrote to memory of 4776	3256	Digkijmd.exe	89
PID 4776 wrote to memory of 3536	4776	Dlegeemh.exe	90
PID 4776 wrote to memory of 3536	4776	Dlegeemh.exe	90
PID 4776 wrote to memory of 3536	4776	Dlegeemh.exe	90
PID 3536 wrote to memory of 3224	3536	Doccaall.exe	91
PID 3536 wrote to memory of 3224	3536	Doccaall.exe	91
PID 3536 wrote to memory of 3224	3536	Doccaall.exe	91
PID 3224 wrote to memory of 4808	3224	Denlnk32.exe	92
PID 3224 wrote to memory of 4808	3224	Denlnk32.exe	92
PID 3224 wrote to memory of 4808	3224	Denlnk32.exe	92
PID 4808 wrote to memory of 1040	4808	Dhlhjf32.exe	93
PID 4808 wrote to memory of 1040	4808	Dhlhjf32.exe	93
PID 4808 wrote to memory of 1040	4808	Dhlhjf32.exe	93
PID 1040 wrote to memory of 4976	1040	Dofpgqji.exe	94
PID 1040 wrote to memory of 4976	1040	Dofpgqji.exe	94
PID 1040 wrote to memory of 4976	1040	Dofpgqji.exe	94
PID 4976 wrote to memory of 2008	4976	Dephckaf.exe	95
PID 4976 wrote to memory of 2008	4976	Dephckaf.exe	95
PID 4976 wrote to memory of 2008	4976	Dephckaf.exe	95
PID 2008 wrote to memory of 2896	2008	Djlddi32.exe	96
PID 2008 wrote to memory of 2896	2008	Djlddi32.exe	96
PID 2008 wrote to memory of 2896	2008	Djlddi32.exe	96
PID 2896 wrote to memory of 4824	2896	Dljqpd32.exe	97
PID 2896 wrote to memory of 4824	2896	Dljqpd32.exe	97
PID 2896 wrote to memory of 4824	2896	Dljqpd32.exe	97
PID 4824 wrote to memory of 3500	4824	Dohmlp32.exe	98
PID 4824 wrote to memory of 3500	4824	Dohmlp32.exe	98
PID 4824 wrote to memory of 3500	4824	Dohmlp32.exe	98
PID 3500 wrote to memory of 2692	3500	Dagiil32.exe	99
PID 3500 wrote to memory of 2692	3500	Dagiil32.exe	99
PID 3500 wrote to memory of 2692	3500	Dagiil32.exe	99
PID 2692 wrote to memory of 2540	2692	Dhqaefng.exe	101
PID 2692 wrote to memory of 2540	2692	Dhqaefng.exe	101
PID 2692 wrote to memory of 2540	2692	Dhqaefng.exe	101
PID 2540 wrote to memory of 1996	2540	Dokjbp32.exe	102
PID 2540 wrote to memory of 1996	2540	Dokjbp32.exe	102
PID 2540 wrote to memory of 1996	2540	Dokjbp32.exe	102
PID 1996 wrote to memory of 3140	1996	Dfdbojmq.exe	103
PID 1996 wrote to memory of 3140	1996	Dfdbojmq.exe	103
PID 1996 wrote to memory of 3140	1996	Dfdbojmq.exe	103
PID 3140 wrote to memory of 4480	3140	Dlojkddn.exe	104
PID 3140 wrote to memory of 4480	3140	Dlojkddn.exe	104
PID 3140 wrote to memory of 4480	3140	Dlojkddn.exe	104
PID 4480 wrote to memory of 1084	4480	Domfgpca.exe	105
PID 4480 wrote to memory of 1084	4480	Domfgpca.exe	105
PID 4480 wrote to memory of 1084	4480	Domfgpca.exe	105
PID 1084 wrote to memory of 2992	1084	Dakbckbe.exe	106
PID 1084 wrote to memory of 2992	1084	Dakbckbe.exe	106
PID 1084 wrote to memory of 2992	1084	Dakbckbe.exe	106
PID 2992 wrote to memory of 3664	2992	Efgodj32.exe	107
PID 2992 wrote to memory of 3664	2992	Efgodj32.exe	107
PID 2992 wrote to memory of 3664	2992	Efgodj32.exe	107
PID 3664 wrote to memory of 3952	3664	Ehekqe32.exe	108

C:\Users\Admin\AppData\Local\Temp\bb1d22ec30db84bead81e0830233b7f0855941948e2bf153729eccc43fe0059e.exe
"C:\Users\Admin\AppData\Local\Temp\bb1d22ec30db84bead81e0830233b7f0855941948e2bf153729eccc43fe0059e.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3532
- C:\Windows\SysWOW64\Ccmclp32.exe
  C:\Windows\system32\Ccmclp32.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Windows\SysWOW64\Capchmmb.exe
    C:\Windows\system32\Capchmmb.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5060
  - - C:\Windows\SysWOW64\Digkijmd.exe
      C:\Windows\system32\Digkijmd.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3256
    - - C:\Windows\SysWOW64\Dlegeemh.exe
        
        C:\Windows\system32\Dlegeemh.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4776
      - C:\Windows\SysWOW64\Doccaall.exe
        
        C:\Windows\system32\Doccaall.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3536
        
        C:\Windows\SysWOW64\Denlnk32.exe
        
        C:\Windows\system32\Denlnk32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3224
        
        C:\Windows\SysWOW64\Dhlhjf32.exe
        
        C:\Windows\system32\Dhlhjf32.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4808
        
        C:\Windows\SysWOW64\Dofpgqji.exe
        
        C:\Windows\system32\Dofpgqji.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\SysWOW64\Dephckaf.exe
        
        C:\Windows\system32\Dephckaf.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Windows\SysWOW64\Djlddi32.exe
        
        C:\Windows\system32\Djlddi32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\SysWOW64\Dljqpd32.exe
        
        C:\Windows\system32\Dljqpd32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\SysWOW64\Dohmlp32.exe
        
        C:\Windows\system32\Dohmlp32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4824
        
        C:\Windows\SysWOW64\Dagiil32.exe
        
        C:\Windows\system32\Dagiil32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3500
        
        C:\Windows\SysWOW64\Dhqaefng.exe
        
        C:\Windows\system32\Dhqaefng.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\SysWOW64\Dokjbp32.exe
        
        C:\Windows\system32\Dokjbp32.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\SysWOW64\Dfdbojmq.exe
        
        C:\Windows\system32\Dfdbojmq.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\SysWOW64\Dlojkddn.exe
        
        C:\Windows\system32\Dlojkddn.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3140
        
        C:\Windows\SysWOW64\Domfgpca.exe
        
        C:\Windows\system32\Domfgpca.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\SysWOW64\Dakbckbe.exe
        
        C:\Windows\system32\Dakbckbe.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Windows\SysWOW64\Efgodj32.exe
        
        C:\Windows\system32\Efgodj32.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\SysWOW64\Ehekqe32.exe
        
        C:\Windows\system32\Ehekqe32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3664
        
        C:\Windows\SysWOW64\Eoocmoao.exe
        
        C:\Windows\system32\Eoocmoao.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3952
        
        C:\Windows\SysWOW64\Ebnoikqb.exe
        
        C:\Windows\system32\Ebnoikqb.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1872
        
        C:\Windows\SysWOW64\Ehhgfdho.exe
        
        C:\Windows\system32\Ehhgfdho.exe
        25⤵
        Executes dropped EXE
        
        PID:5056
        
        C:\Windows\SysWOW64\Eoapbo32.exe
        
        C:\Windows\system32\Eoapbo32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1336
        
        C:\Windows\SysWOW64\Ebploj32.exe
        
        C:\Windows\system32\Ebploj32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1656
        
        C:\Windows\SysWOW64\Ehjdldfl.exe
        
        C:\Windows\system32\Ehjdldfl.exe
        28⤵
        Executes dropped EXE
        
        PID:2864
        
        C:\Windows\SysWOW64\Eqalmafo.exe
        
        C:\Windows\system32\Eqalmafo.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3260
        
        C:\Windows\SysWOW64\Ecphimfb.exe
        
        C:\Windows\system32\Ecphimfb.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3760
        
        C:\Windows\SysWOW64\Efneehef.exe
        
        C:\Windows\system32\Efneehef.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3412
        
        C:\Windows\SysWOW64\Ehlaaddj.exe
        
        C:\Windows\system32\Ehlaaddj.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4196
        
        C:\Windows\SysWOW64\Eofinnkf.exe
        
        C:\Windows\system32\Eofinnkf.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3604
        
        C:\Windows\SysWOW64\Ecbenm32.exe
        
        C:\Windows\system32\Ecbenm32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3300
        
        C:\Windows\SysWOW64\Efpajh32.exe
        
        C:\Windows\system32\Efpajh32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1708
        
        C:\Windows\SysWOW64\Ehonfc32.exe
        
        C:\Windows\system32\Ehonfc32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4932
        
        C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2664
        
        C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        38⤵
        Executes dropped EXE
        
        PID:1820
        
        C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        39⤵
        Executes dropped EXE
        
        PID:1168
        
        C:\Windows\SysWOW64\Ffekegon.exe
        
        C:\Windows\system32\Ffekegon.exe
        40⤵
        Executes dropped EXE
        
        PID:1484
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        41⤵
        Executes dropped EXE
        
        PID:1468
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4508
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3544
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3956
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        45⤵
        Executes dropped EXE
        
        PID:2232
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        46⤵
        Executes dropped EXE
        
        PID:1400
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5020
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        48⤵
        Executes dropped EXE
        
        PID:3064
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4328
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        50⤵
        Executes dropped EXE
        
        PID:4964
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        51⤵
        Executes dropped EXE
        
        PID:1912
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1208
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        53⤵
        Executes dropped EXE
        
        PID:4988
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3720
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        55⤵
        Executes dropped EXE
        
        PID:2056
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1004
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3392
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        58⤵
        Executes dropped EXE
        
        PID:4044
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3100
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3188
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        61⤵
        Executes dropped EXE
        
        PID:1904
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:912
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        63⤵
        Executes dropped EXE
        
        PID:2712
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3848
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3236
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        66⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4556
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        68⤵
        Modifies registry class
        
        PID:2916
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        69⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        70⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3548
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        72⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        73⤵
        
        PID:424
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        74⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2964
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2160
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        77⤵
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2336
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        79⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        81⤵
        Drops file in System32 directory
        
        PID:5224
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5264
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5304
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        85⤵
        Modifies registry class
        
        PID:5408
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        86⤵
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        87⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5544
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5584
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        90⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        91⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5728
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5764
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        94⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        95⤵
        Drops file in System32 directory
        
        PID:5852
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        96⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        97⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5992
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        99⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        100⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        101⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        102⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        103⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        104⤵
        Drops file in System32 directory
        
        PID:5288
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        105⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        106⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        107⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        108⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5688
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        110⤵
        Drops file in System32 directory
        
        PID:5780
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        111⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        112⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6008
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        114⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6068
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        115⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        116⤵
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5340
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        118⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        119⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        120⤵
        Drops file in System32 directory
        
        PID:5672
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        121⤵
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        122⤵
        Drops file in System32 directory
        
        PID:5884
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        123⤵
        Modifies registry class
        
        PID:6032
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6120
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5296
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        126⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        127⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5896
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        129⤵
        Drops file in System32 directory
        
        PID:5160
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        130⤵
        Drops file in System32 directory
        
        PID:4188
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        131⤵
        Drops file in System32 directory
        
        PID:5200
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        132⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        133⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        134⤵
        Modifies registry class
        
        PID:5716
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6080
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        136⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5756
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        137⤵
        Modifies registry class
        
        PID:5948
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        138⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6104
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        140⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6000
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        141⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        142⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6188
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        143⤵
        Drops file in System32 directory
        
        PID:6228
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        144⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6280
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6324
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6360
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6404
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        148⤵
        Modifies registry class
        
        PID:6448
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        149⤵
        
        PID:6496
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        150⤵
        
        PID:6540
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6580
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        152⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6624
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        153⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        154⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6752
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        156⤵
        
        PID:6792
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        157⤵
        Drops file in System32 directory
        
        PID:6832
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6876
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        159⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6924
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6960
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        161⤵
        
        PID:7008
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7044
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7088
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7136
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6148
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        166⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6272
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        168⤵
        Modifies registry class
        
        PID:6336
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        169⤵
        Modifies registry class
        
        PID:6416
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        170⤵
        
        PID:6468
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        171⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        172⤵
        
        PID:6620
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        173⤵
        Drops file in System32 directory
        
        PID:6676
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6732
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        175⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6868
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6948
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7016
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7080
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        180⤵
        
        PID:7132
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6200
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        182⤵
        
        PID:6292
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        183⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6396
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6508
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        185⤵
        Drops file in System32 directory
        
        PID:6564
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        186⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6736
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        187⤵
        Modifies registry class
        
        PID:6852
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        188⤵
        
        PID:6956
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7076
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        190⤵
        
        PID:6176
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        191⤵
        
        PID:6300
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        192⤵
        Drops file in System32 directory
        
        PID:6480
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        193⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6740
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        194⤵
        Modifies registry class
        
        PID:6920
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        195⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        196⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        197⤵
        Drops file in System32 directory
        
        PID:6608
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        198⤵
        Modifies registry class
        
        PID:6824
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        199⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        200⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6656
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        201⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7160
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        202⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6804
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        203⤵
        
        PID:7180
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        204⤵
        
        PID:7232
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        205⤵
        
        PID:7272
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7272 -s 412
        206⤵
        Program crash
        
        PID:7408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 7272 -ip 7272
1⤵
PID:7340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bamagp32.dll

Filesize
7KB

MD5
240c167706a9bcbaede405ce924979aa

SHA1
ae96a777b796dc948e0e6a7a0178e8f2cb766606

SHA256
bf5167f12eed3d8e85e1e6304470395cace50475faa71031adb62c302accc4ce

SHA512
2036af1d3555b1a350ef695d0dc8550aa161e7371420b50651ae4a32d90fe1d68500ab4c569c5be99003460a582e9e181aaed6ef66aa1f612a7b608f4c02e819

Download Submit
C:\Windows\SysWOW64\Capchmmb.exe

Filesize
120KB

MD5
a1f8c4de6f30707eb6e63516fb70e6e7

SHA1
8dcd776846c98163ce6403bd36ae20ad4ad9d313

SHA256
2c90861508152b0d85be471ead443169f2865fe9a320c768e554ec603ad5b3fe

SHA512
e284a1b8ef4ba4bf9fa1fe2ded0aae9d4eb71b1f47101c19d584fe692df1fd5d5f41d3b682d2f058434f55f09cec18791b91e13731321a6127bf0b9d202df5f0

Download Submit
C:\Windows\SysWOW64\Ccmclp32.exe

Filesize
120KB

MD5
e842cc522bd199ae77038a60722ffb3a

SHA1
db34fa8a575aa68cfa8102c866d44401ba83c642

SHA256
a66da279ddb9a866f5749cea21e8138fb1451b7731d51021cd39038ec4d37f7f

SHA512
ef9d497925fb4c36045e1a0cbb5a8200c0a1c107d0b867ce7b2a0922e720c42daeb679a8682fbd9a25afd8076ea76b4170c187be71c77ccaaba588cad10ea60f

Download Submit
C:\Windows\SysWOW64\Dagiil32.exe

Filesize
120KB

MD5
be6a10b38c2bd835232e6ecdee122811

SHA1
e9e0c9232b97c4e4e8d7d1376430bc0e95330609

SHA256
36b532e80c41b208ffe29e7adab7159e033614a3b5597655b5ba1caaa66442e2

SHA512
c940f2a3b2e4b81d393454ddf1cc41228030fa837f5e666e998188c26026047db948181cb60d0610e7d2331c85a8282e848ed5facf979956d46bb29ad0de73ff

Download Submit
C:\Windows\SysWOW64\Dakbckbe.exe

Filesize
120KB

MD5
5f832415f8b7935873b00d3f0222835c

SHA1
9ed474253018444805a8d9e381ff3951339727a1

SHA256
f15af4f1a02f777c49ea8e235e5f626a5b5cba6627075673f75d86ebfc7d08ad

SHA512
c126f72bc25a29810428859f23e50e21515e78e714f41dd8fcb50a6f7f4200df33d82f802e5a0b5106666790f4640b48eaedd978813d4dfbb4fa33c14e48a32f

Download Submit
C:\Windows\SysWOW64\Denlnk32.exe

Filesize
120KB

MD5
bb1692db0439c754b02ee5b91ae29a14

SHA1
ac07e57a465ff8c56624f83847ff3e2374774776

SHA256
dd99bf6214669b75789677e3663cd287826fe8c283aea373e8136110996a8f9b

SHA512
1d3cf6975c9bdc97c49606361180a2064abcc119024f3e6d01a6244ebbcdf39e8360dd67d909cd0487a259eb60f2872484a50de07d99d7c30e56840ec9f3c760

Download Submit
C:\Windows\SysWOW64\Dephckaf.exe

Filesize
120KB

MD5
0f0edc374f658b7b90a2be21da071c4d

SHA1
c6fb5c9e37749a379662d6dbdc08956e9e89d8d5

SHA256
cbdbbb3fd8a621eb0ca0087f40392a9f96aa376ce7e67c4c175289fc2f5f7d88

SHA512
33a3e2c5df25b70074ccbadd4e79e153f69dc81051236c771d93bc65ad8352655fa1088fdfbd04a0fcd257f45418aa620a1ca904e8801dbb1fbb8a2bc1740ac2

Download Submit
C:\Windows\SysWOW64\Dfdbojmq.exe

Filesize
120KB

MD5
4f4af9e59bbc1991b823ed0c8efef517

SHA1
0dac51f0a7d81822fcb7cb106d513bc9381a7d2e

SHA256
56be83459deec8aaa3c1f3c8dac7ff9b929422da8c4761c642da0846d2aceedf

SHA512
e8f3f332d09d45b378b30f5bcc4e48369676ab9d2e044b3833d8d9847b741d1c49fc1644d87d802e0591da252ba5d069327edf801174f519986c8a55536a2130

Download Submit
C:\Windows\SysWOW64\Dhlhjf32.exe

Filesize
120KB

MD5
825a8ccca4e05fed655e421831a91be3

SHA1
fee413477b6b673d23a9447bd9401823759ed44c

SHA256
9dc100e3a6e88cb58066af546c2abab7da44203db761e974181609874fc954ba

SHA512
125eaf9b101e12874a87b76d5a0bc1868ad5dd3dfac5291297c9bb5ef90b59a0e8f067cb32913d9dfde3a5b96b3d44c66208569cb8ad6a77b787dcafdf54e930

Download Submit
C:\Windows\SysWOW64\Dhqaefng.exe

Filesize
120KB

MD5
75d2aad4b73bb39245e2c84f9520b8f1

SHA1
eab88023e5cf1cbbf15f963c431396d3f48caaed

SHA256
a5aaec1b0f9daf3c7b1bd51345bbc7aebc774368e2af67761c9e4c35540dec19

SHA512
bc862426f047aff874a3a74acf8e28b8b8ed6f0b3cfd896d43f8c6d30147b6c6a576a8dafd8cdefdf27de4d0f5254d3b6b0959e8ea16306ed56259c0f0905228

Download Submit
C:\Windows\SysWOW64\Digkijmd.exe

Filesize
120KB

MD5
df64148ff66be395c9a047ba045fae45

SHA1
a3d6ed295220ada38eb88e4cb8ebde9e9ffb67a3

SHA256
fed233756c4514455068c45861ae1fcf994a7deb2dd187309eaa714f0167e04e

SHA512
d5ecfa37681fee9e9081b5cb0bb8f6b5810db1b7c53a410da984cf4be483460842e864f491520d7499fc2d68026797dc1b8c67936795e7662163d0502ade573a

Download Submit
C:\Windows\SysWOW64\Djlddi32.exe

Filesize
120KB

MD5
fd7ce0039ff191a67e815ccb80571211

SHA1
07c810dd3661efbcab21fad47f9699951e498cc4

SHA256
c3be98ca1b743deb32e4597c651332e155b1094571cb81e8fffe35542e15ef07

SHA512
c3a7d62d68f4abda813806e28508688bd2184099dbb3887e3a1d68b14d9516ab16d8e82f2b6a41d7c66393c0c5bf03d18beadcdddebd69a3c6a76bb8ea0c34d2

Download Submit
C:\Windows\SysWOW64\Dlegeemh.exe

Filesize
120KB

MD5
b52a9581a31e959d1c5b37881ababcc7

SHA1
a9a8102c0b358f2bc1ae706192529227a0fd8fd4

SHA256
59cad5dc06ad76e3e7c45a744e1b7c0826f7c944549ca4978b0d51f64b3fb6f7

SHA512
c220885a95e0b1d788a21ffb325ad63e363dd1c96f0dde29245c8576ad8d9c31f189dbf1711e74543d10e67858303d8e25f5a26c6c40fc96d04bb297e85a62dd

Download Submit
C:\Windows\SysWOW64\Dljqpd32.exe

Filesize
120KB

MD5
227cfcbb8c72f91d850930d672c779d9

SHA1
8036fc4bcdb9186173ee4f39c4d6aab7b6c68df6

SHA256
e8670cc9fbc7fde3f69fe3a64d009be7840f3261d54f7bd38e8390ef190f8e4b

SHA512
c4687958382de96132219ca412fa5407f1ba206dcc58e87567a7e88df35f7831b32595bf52973691a9392021f259becd6e439091bd1934019b9ea16e1dc2f5a0

Download Submit
C:\Windows\SysWOW64\Dlojkddn.exe

Filesize
120KB

MD5
0a973db911d32d5e0b294e612e7f8fb7

SHA1
1feb6878b4f129ba937b4d706d33396312c47435

SHA256
ada17e20a69daf1ebccf8ff211ca2df3b7a4e208d82cd2a69f89120aa9f8b714

SHA512
f6f1b24c588537382194d0d2ca312f458020fc66fa24a3ee1fa2ec660d2a9a959f680f19439e3f5a5ca0dfe652350e6a1dda5f74fa059b7b1909920fd8166870

Download Submit
C:\Windows\SysWOW64\Doccaall.exe

Filesize
120KB

MD5
04f03e298079e332534ad8947b54c155

SHA1
bd44c2ea1c6a91b2b8b476ccdf7ca70ca2719658

SHA256
e540ceb1d4f9dd0d25d46ea7a1e9625203696aecb19f6cb8b5bdaff124a3d07d

SHA512
36bdec07377e8fa7779d8bb6da8356f3816d7f40225ee709f01556ca9bc170d9f01dbc8d1a0b94b3815fef36a5f2ff3bf981b354ff87bab34653d22f936b72f4

Download Submit
C:\Windows\SysWOW64\Dofpgqji.exe

Filesize
120KB

MD5
9fa63a613bc333d51a567f217000d4ac

SHA1
cbc2366d786e8b80d20014caf604c8e8077a451a

SHA256
338d4a6899465d7ec97921c580fb2e1d6e7e82060b4a30be1f528084fff1615e

SHA512
d49bd3d755f65fe322615f973f769c260c56d5a2c24532eb154c1e8b9596434cc831c14f4bdabed3b55d447c6ad094c9e5a7018e9fd862f5873be86f7fdf0cd6

Download Submit
C:\Windows\SysWOW64\Dohmlp32.exe

Filesize
120KB

MD5
8b9c29b38c9d4cbbda61d9b1351d3280

SHA1
95ad4e98e42a72fbae7797ad6c56ced00445a5d5

SHA256
8087fddc4ba522025b589fe852f1d0fff19b34b10c6f79ce7362decaded886d5

SHA512
cd387fc38a0bb847f8091c8cf8094300eee6542943612399932c69329d4119e5df236982f3745cfde62178e03d50bdc326506287f7805335eaaf1e4915d69086

Download Submit
C:\Windows\SysWOW64\Dokjbp32.exe

Filesize
120KB

MD5
248d50bfc1c276e16300c44a588447dd

SHA1
6422a7f5a9f2e6226e1821b0e7c5501f9438aaff

SHA256
c3709d79a6935389350f2ecee5692460673ce984c649c127456a7850c645e088

SHA512
eeb8a9de79d9a204b6dfd81c32619dda9e494b1cf38bc8eddca0473f0512562d413ebbb0385ed884f4c60b4ddcf9d699b0f066f4b4cda5a6f754caffe44fff23

Download Submit
C:\Windows\SysWOW64\Domfgpca.exe

Filesize
120KB

MD5
ed2dbf008835aaf2c9dfe6417ec18dd5

SHA1
cbbcc64babb8124eeb65e4f6334fb2e13ef70894

SHA256
d11f1165f43978b61727c5be92396a0ad506d74a559eb6d1259cad477e89fb14

SHA512
1939ee0afd3c6f9fe9770672b63ee3bd6d62fd6c45831753b74472c159a81236d2b9a371d3ce4609f96e03d1420946b365a3bdbe9039b309220561134965fe3d

Download Submit
C:\Windows\SysWOW64\Ebnoikqb.exe

Filesize
120KB

MD5
39e8dcecce735afd5a8ea2ab549569a5

SHA1
91cba8f73f1b2ebb90927e8789d3bae0cadeab1c

SHA256
f9702dd5aa188287d14f368e676de8deb9709c17b1fbe7a0da11e753ed6ae3a3

SHA512
9e233e3af50951b81bfe10196d9bf32deda95fc241dbffdc9bba78bf6e48befd57012636d0f18ce22e501ad91a2244663e33715b260b9432b13959d2f25f67e5

Download Submit
C:\Windows\SysWOW64\Ebploj32.exe

Filesize
120KB

MD5
739d0fac0037e6d63c3786ee837eca2b

SHA1
1f2369e7021777fe5c885eae485cda67ebacaaff

SHA256
9999faf5bf813fe06d11ba41179f2ef3c15e39c8a77ea9e5f2b93bb20986228b

SHA512
c27bbdf70b4b7718db1af53199ed783d9efbbf73173a797e5ae2e7d9396fbfd37d5733c3ddfbe14c174d2763f9e3c93490fe0037e7932a3b4f68d9914aba40a3

Download Submit
C:\Windows\SysWOW64\Ecphimfb.exe

Filesize
120KB

MD5
895acb404ac37a0f6cb7c3dcd463b321

SHA1
ee6d12985e653506652992c72dc1e2e7dca681a1

SHA256
2914b37e1a41b26928ffd4b76ffad1d4e435943a8ce5f2c408af78329340f941

SHA512
fb50d62cec6bf40dcc904363ffc74074a3acd9ff1283a2b67227ae55729bbaae04abf76412b2194097785cfbbd43132e2b1a572630d38370d94c0b6eeda5f60f

Download Submit
C:\Windows\SysWOW64\Efgodj32.exe

Filesize
120KB

MD5
5d87e22128b92dc097843893d466ec26

SHA1
028c9c2828838430dc40d8e6bc82477359d5249f

SHA256
ea88162f4ba6ce99fc147b4221c68a7c3effa6b8ac0fbca0b414c223996df4c0

SHA512
c7627be02ac742156136749599f3e33624019fc9fe789856e03cebc5e234e911f54812f8926cce8217d6741ca73c0010a2e1d9ea8954cb3f62c5cabc3c0d8b3f

Download Submit
C:\Windows\SysWOW64\Efneehef.exe

Filesize
120KB

MD5
580ccb95dd420cdb12a48044f6329c21

SHA1
f9d2d5d55261eb294fd117acb763d98b431f80c0

SHA256
b6db176b308100b138c90545278879f1358b2147d19b5ec3694de83c3a8da8e1

SHA512
f43d5e65676d6842cabc0e84527667949205322089fcdfcc6a9ba4ac497f4537b1e5c2439f0dbbf5b71beafeb72284bbf3b8bbff058bacd11af2789deb60fafb

Download Submit
C:\Windows\SysWOW64\Ehekqe32.exe

Filesize
120KB

MD5
d473ec3a595c8ac0a89af0f023acfe7f

SHA1
c1880bb7581c167b13841fb40ad083366694abbf

SHA256
a8be8b46fc4096c7b4579451d3fac61d03bee6550fba069d32841d38e5640b42

SHA512
e7ff2c6fd4569540fe310f234445b46845c550ae319a7d1b0a47674545d84585d5fc3e9570026f61b96902808b3479405beba0fae9a0b6793a8c0ac967466197

Download Submit
C:\Windows\SysWOW64\Ehhgfdho.exe

Filesize
120KB

MD5
582c34cc2e51ca26b623ffca6926f688

SHA1
41c7d074369359dcfeb9fe30c112da46939c2264

SHA256
a3ddd32f0f034c7210d41800c4e850210eddb63dbdd5204eae18ab99292afc02

SHA512
8bc63aa6ef7dc0b6fd7ef19ce4eb17327ce6d78f6ddfbc5610b3342cbdc8d717c4bce496bc44e4cc3bc498fd6eb87233958c6191629475ee51e7929ff8fc0be6

Download Submit
C:\Windows\SysWOW64\Ehjdldfl.exe

Filesize
120KB

MD5
b4a9767ad82bb0d3b02d5bdab7ccf875

SHA1
15827116d9f52967c8f09b08df7325103379f1c7

SHA256
b4a0061f2b2a4fb9b6f06618741e9b95a0a05f1645344961180b4cc949060a31

SHA512
08c622c93469b765a8bf503a4b83588b18355eb4d34a4cf81566e85fb67a6e20a2e9f01d310e5ba8de2b69b821a205618adfb7ea0b8fb9d954fadf748b95739d

Download Submit
C:\Windows\SysWOW64\Ehlaaddj.exe

Filesize
120KB

MD5
aede4e748a3688afae6dc62a4062818d

SHA1
47d72bcd1c2dd7d681d811aa533f5046a5a11721

SHA256
b1286f8cf83c7f7624bc5276173c7716d225700a87035ce900fd7e38ef866d87

SHA512
fadcd73c0b7a23b3cbb564af3a1bfbcd2951a39c0e973ae4a0569bcb31e8631c36b8ecdf65f7dc173fab875f3080e7f16d7932b7ec2b7fccd7d983b576aebc0b

Download Submit
C:\Windows\SysWOW64\Eoapbo32.exe

Filesize
120KB

MD5
2f82284ea1aca0ac2c2f91002498482a

SHA1
882ca113de8554c66745191d9ec7849bc6e96eef

SHA256
a98bf1b8888cdf9f1d252b66995e476899b9883d415fb1955e1dd1439c5d8a52

SHA512
d639ed8679ad2d38b79f21be9ef53505ca4c4e6a1d8461bf8f501c44cb7a372475f97873883ce01c8c0f2aa63990d3dc7cfd0aa07d339a7a232366373d46f729

Download Submit
C:\Windows\SysWOW64\Eofinnkf.exe

Filesize
120KB

MD5
d942727661b29abc377e2c78318cc392

SHA1
e565b336843c06760de12dd0e500e5cc85e2eae9

SHA256
1de556a41eb11ec3203bd30557c5b6b5715392756da3187a8cfddcb1a0d02d8b

SHA512
ed71d236fd8248fe27e3fc3c4c25b0af01a4eb005b703d0422d1b15a75247c6642d7785d9767d8095cefc16b085ae31f16339ddaa30010374822f9f6392d37cd

Download Submit
C:\Windows\SysWOW64\Eoocmoao.exe

Filesize
120KB

MD5
66dbd6e9c72bd68f2db629b7dd8616e0

SHA1
4c6d5b5089ee803ab687fb534c180c08141a8137

SHA256
aa123eb54e6c769e7da59b4d2aaa4e381dbfa7b619363dd47f4c95324c4f8aa7

SHA512
e5e8593b1feedd9fd308b21c9776758458fef06782163506ac986ec9df82ea79cdc6d40ef5e2bb376abda95ff11c40e90ba01e48ceda304bb07a099db4f701e4

Download Submit
C:\Windows\SysWOW64\Eqalmafo.exe

Filesize
120KB

MD5
ca247a5a9ecf46339eab18ea0c28072f

SHA1
0acb2933718fab710db49bb86e206430252bc529

SHA256
5b9b48a69184a9b64cd6e0b1c15a99422ca5a148a271ac7b70113a50b4321175

SHA512
394dc7d1c31070931665a9f1b66edd7cb08f96d5c9e1f7e22d64c5fe80d211027774a02a9ded878d15157c7cb3ce6d7cd37a6e26e19a95f818c2b335be99eb65

Download Submit
C:\Windows\SysWOW64\Kbdmpqcb.exe

Filesize
120KB

MD5
31d2ae1df98f1f3ac031085194f16382

SHA1
469114c1aa180c80d59fa8f61f8184b8cb2b0db7

SHA256
fef703dc2df3dfdadceb20813d19eab5df0f1bac2e5afade5618d381daea5450

SHA512
bb9abbacc993a2cf5604ea579c33f1c0714c75dade3700f623f11e9bef9ea57f6bc34887821daf8c729d7dcada8fddd2280fe49945997d05af086a57f766b2a4

Download Submit
memory/912-430-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1004-394-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1040-63-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1084-157-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1168-292-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1208-370-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1336-200-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1400-339-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1468-304-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1484-302-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1656-207-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1708-272-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1820-286-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1872-184-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1904-424-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1912-364-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1996-127-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2008-80-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2056-388-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2116-12-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2232-328-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2540-119-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2664-284-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2692-111-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2712-436-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2864-215-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2896-88-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2992-162-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3064-346-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3100-412-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3140-136-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3188-423-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3224-48-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3256-24-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3260-228-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3300-262-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3392-400-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3412-243-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3500-103-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3532-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3536-40-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3544-316-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3604-256-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3664-168-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3720-382-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3760-232-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3848-446-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3952-176-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3956-322-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4044-411-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4196-252-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4328-352-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4480-144-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4508-310-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4776-32-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4808-55-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4824-96-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4932-274-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4964-358-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4976-72-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4988-380-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5020-345-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5056-192-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5060-15-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads